Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos ¡ @cs.columbia.edu Technical Report May 19, 2004 Abstract We discuss the elastic versions of block ciphers whose round function processes subsets of bits from the data block differently, such as occurs in a Feistel network and in MISTY1. We focus on how specific bits are selected to be swapped after each round when forming the elastic version, using an elastic version of MISTY1 and differential cryptanalysis to illustrate why this swap step must be carefully designed. We also discuss the benefit of adding initial and final key dependent permutations in all elastic block ciphers. The implementation of the elastic version of MISTY1 is analyzed from a performance perspective. Keywords: Block Cipher Design, Elastic Block Cipher, Variable Length Block Cipher, Encryption Algorithm, MISTY1 1 Introduction The concept of an elastic block ciphers was introduced in [5] and provides a method by which an existing block cipher can be modified to create a variable length block cipher accepting all block lengths up to twice its original block size. In the elastic version, bits beyond the normal block size are left out of the round function then XORed and swapped with bits output from the round function in order to become part of the input to the next round. The bits output from the round function involved in the XOR become the set left out in the next round. The number of rounds are increased such that the round function is applied to each bit position the same number of times as in the original block cipher. In general, care must be taken in selecting the bits to be swapped when the round function processes subsets of the bits differently. Initial and end of round whitening are also added when forming the elastic version if not already present and applied to the entire block. We take a closer look at elastic block ciphers in terms of how bits are swapped into and out of positions acted on by the round function. Both the manner in which bit positions are swapped at the end of each round, and key dependent initial and final permutations are considered. The bit positions involved in the swap are of most interest in the elastic versions of block ciphers whose round function operates on a subset of the bits, such as occurs in a Feistel network and in MISTY1 [8]. We use differential cryptanalysis of elastic MISTY1 to illustrate why careful selection of which bits are omitted from each round is required. In addition, the implementation of the elastic version of MISTY1 is analyzed from a performance perspective. We selected to use MISTY1 for our analysis for several reasons. Aside from being an example of a block cipher with a Feistel-like structure whose round function processes subsets of bits differently, it is NESSIE’s recommendation for a 64 bit block cipher [3] and the elastic version adds more overhead compared to the elastic version of AES [5] due to the lack of whitening in MISTY1. 1 The elastic version of AES [2] was analyzed in [5]. Since AES contains per round whitening, the end of round swap step was the determining factor in how the performance compares between AES and Elastic AES. Furthermore, the manner in which the bits are swapped is straightforward in that sequential bits are chosen with the starting position rotating within the first 128 bits. In contrast, the elastic version of MISTY1 requires adding initial whitening and end of round whitening, and due to the left and right halves of the 64 bit block being processed differently, the bits chosen for the swap alternate starting positions between the left and right halves. MISTY1 is also of interest in that it can be viewed as having two round functions, each used in alternate rounds. When creating the elastic version of MISTY1, two rounds from regular MISTY1 are viewed as a single round which is then augmented to contain end of round whitening and the swap step. In addition to proper selection of bit positions for the swap step, we discuss the use of an initial key dependent permutation and mixing of bits in order to allow all bits to impact the output of the round function in the first round. This complicates differential cryptanalysis [4] by eliminating the existence of a first round differential that occurs with a probability of 1 in the elastic version of any block cipher. Likewise, appending such steps to the end of the cipher prevents a differential from ocurring with a probability of 1 when performing a differential attack that starts with the ciphertexts and uses differentials for decryption. The remainder of this paper is organized as follows. Section 2 briefly reviews the method for construct- ing an elastic block cipher and the MISTY1 block cipher. Section 3 discusses general rules for selecting which bits to swap. Section 4 describes the elastic version of MISTY1 and illustrates the impact of care- ful selection by determing bounds on differential probabilities for Elastic MISTY1. Section 5 discusses the benefits of initial and final key dependent permutations and mixing of bits. Section 6 summarizes the performance of Elastic MISTY1 compared to regular MISTY1. Section 7 concludes the paper. 2 Background 2.1 Elastic Block Cipher Algorithm We review the algorithm from [5] for modifying the encryption and decryption functions of existing block ¡¢ ¤£¦¥ ciphers to accept blocks of size to , where is the block size of the original block cipher. The algorithm was designed such that it neither modifies the round function of the block cipher nor changes the number of rounds applied to each bit, but rather creates a method by which bits beyond the supported block size can be interleaved with bits in the supported block size. Additional key material beyond that generated by the block cipher’s key schedule is required due to end of round whitening applied to all bits and optional key dependent permutations. The exact key schedule for the elastic version of the cipher will depend on the block cipher. Options from [5] include include modifying the cipher’s original key schedule to provide the extra key bits, using an existing stream cipher as the key schedule or a combination of the cipher’s key schedule and a stream cipher. Figure 1 from [5] illustrates the general structure of the elastic block cipher using AES as the original cipher. The following notation and terms will be used in the description of the elastic block cipher. Notation: §©¨ denotes any existing block cipher that is structured as a sequence of rounds. ¨ § denotes the number of rounds in . § ¨ denotes the block length of the input to in bits. § denotes a single block of plaintext. §© denotes a single block of ciphertext. 2 §¡ £¥¤ £©¥§¦ is an integer in the range ¢ . §©¨©¨ ¨ ¨ ¨ denotes the modified with bit input for any valid value of . will be referred to as the elastic version of ¨ . §©¨ ¨ ¨ ¨ denotes for a specific value of . § ¨ ¨ ¨ denotes the number of rounds in . § denotes a key. § denotes a set of round keys resulting from the key expansion. ¨© ¨ ¨ §©¨ and will refer to with the round keys resulting from expanding key , and to with the round keys , respectively. Terminology: § A bit (position) input to a block cipher is called active in a round if the bit is input to the round function. For example, in DES [1] of the bits are active in each round, while in AES all bits are active in each round. ¨ ¨ § The round function will refer to one entire round of . For example, if is a Feistel network, the round function of ¨ will be viewed as consisting of one entire round of the Feistel network as opposed to just the function used within the Feistel network. 128 bits y bits Plaintext 128+y bits, 0 ≤ y < 128 bits AddRoundKey Optional Key Dependent Mixing S-Box Shiftrows MixColumns AES round, except last AddRoundKey Total # of rounds = ! 10(128+y)/128" Addition to round to swap y bits. ⊕ XOR y bits left out of round with y bits that were in the round, and swap the two segments S-Box Shiftrows last round Optional Key Dependent Mixing AddRoundKey 128+y bit ciphertext Figure 1: Elastic Version of AES ¨ ¨ Given and a plaintext of length bits, make the following modifications to ’s encryption ¨ function to create the encryption function of ¨ : 3 ¨ 1. Set the number of rounds, , such that each of the bits is input to and active in the same number ¢¤£ £ ¨©¨ ¨ ¨ ¦¥ §¥©¨ ¡ of rounds in as each of the bits is in . ¨ 2. XOR all bits with key material as the first step. If includes whitening as the first step prior to ¨ the first round, the step is modified to include bits. If does not have an initial whitening step, ¨ this step is added to ¨ . 3. (Optional) Add a simple key dependent mixing step that permutes or mixes the bits in a manner that any individual bit is not guaranteed to be in the rightmost bits with a probability of 1. This will be referred to as the mixing step and it is viewed as the identity function if it is omitted. Similarly, a final key dependent mixing step may be added. 4. Input the leftmost bits output from the mixing step into the round function. 5. If the round function includes XORing with key material at the end of the round and/or as a final ¨ step in the algorithm, the whitening should be performed on all bits.